In the Claims: 

1. (Currently Amended) A method for detecting malicious code in a 
stream of data traffic input to a gateway of a data network, the method comprising the 
steps of; 

(a) monitoring by the gateway for at least one suspicious portion of data in 
a portion of the stream of data traffic that is expected to lack 
executable code; 

(b) upon detecting said at least one suspicious portion of data, attempting 
to disassemble said at least one suspicious portion of data thereby 
attempting to produce disassembled executable code; and 

(c) if said attempting to disassemble said at least one suspicious portion of 
data succeeds in producin^a: disassembled execut able co de , then: 
wh e rein for each instruction in said disassembled executable code[[,]]i 
(([c]Ji) assigning respectively a threat weight for each said 

instruction^;]], and 
(Ud]]ii) accumulating said threat weight to produce an 

accumulated threat weight. 

2. (Original) The method, according to claim 1, wherein said at least one 
suspicious portion of data contains at least one illegal character in a protocol of the 
stream of data traffic. 

3. (Original) The method^ according to claim 1, wherein said monitoring 
is performed by skipping acceptable data in the stream of data traffic^ said acceptable 
data being consistent with a protocol used by the data stream. 
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4. (Original) The metliod, according to claim 3, wherein said acceptable 
data includes acceptable executable code. 

5. (Original) The method, according to claim 1, wherein upon reaching a 
branch in said disassembled code, further accumulating said threat weight 
respectively for each branch option in said disassembled code, thereby producing said 
accumulated threat weight for each said branch option. 

6. (Currently Amended) The method, according to claim 1, further 
comprising the step of 

([Ie]]d)upon said accumulated threat weight exceeding a previously defined 
threshold level, perforaiing an action selected from the group of 

(i) generating an alert, and 

(ii) blocking traffic from the source of the suspicious data, 

7. (Original) The method, according to claim 6, wherein said blocking is 
solely in the stream of data traffic, 

8. (Original) The method, according to claim 1, wherein said attempting 
to disassemble is initiated at a plurality of initial instructions, each, of said initial 
instructions with a different offset within said at least one suspicious portion of data, 
and said threat weight is accumulated respectively for each said offset. 
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9. (Original) The method, according to claim 1, wherein said attempting 
to disassemble is initiated at an initial instruction of an address of previously known 
offset relative to a vulnerable return address. 

10. (Cmxently Amended) The method, according to claim 1, wherein the 
stream of data traffic includes an encoded data portion, further comprising the step of, 
prior to said attempting to disassemble: 

([[e|ld)decoding said encoded data portion. 

IL (Currently Amended) A method for detecting malicious code in a 
stream of data traffic input to a gateway of a data network the stream of data traffic 
including data packets, the method comprising the steps of : 

(a) monitoring by the gateway for at least one suspicious portion of data in 
a portion of the stream of data traffic that is expected to lack 
executable code; 

(b) upon detecting said at least one suspicious portion of data, attempting 
to disassemble said suspicious data thereby attempting to produce 
disassembled executable code; and 

(c) w h e r ein if said attempting t o disasse mble said at least one suspicious 
portion of data succeeds in producing disassembled exec utable code. 
then: for each instruction in said disassembled executable code[[,]]i 
([[c]]i) assigning respectively a threat weight for each said 

instruction[[;])^ and 
([[^^llii) accumulating said threat weight to produce an 

accumulated threat weight [[;]};, 
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wherein said threat weight for each said instruction is 
selectively either: 

(([i]]A)increased for a legal instruction, and 
(U*i)lS) decreased for an illegal instruction. 

12. (Original) The metliod, according to claim 1 1 , wherein said attempting 
to disassemble is initiated at a plurality of initial instructions, each of said initial 
instructions with a different offset within said at least one suspicious portion of data, 
and said threat weight is accumulated respectively for each said offset. 

13. (Original) The method, according to claim 11, wherein said attempting 
to disassemble is initiated at an initial instruction of an address of previously known 
offset relative to a vulnerable return address. 

14. (Currently Amended) The method, according to claim 11, further 
comprising the steps of: 

([|e]|d) receiving the data packets input from a wide area network interface of 
the gateway, thereby building the packets into a virtual stream inside 
the gateway; and 

(([fl]e) upon said accumulated threat weight exceeding a previously defined 
threshold level, performing an action selected from the group of 

(i) generating an alert, and 

(ii) blocking traffic from the source of the malicious code. 

15. (Canceled) 
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16. (Currently Amended) A program storage device readable by a 
machine, tangibly embodying a program of instructions executable by the machine to 
perfoim a method for detecting malicious code in a stream of data traffic in a data 
network, the method comprising the steps of : 

(a) monitoring by I [the]] a gateway of the network for at least one 
suspicious portion of data in a portion of the stream of data traffic tliat 
is expected to lack executable code; 

(b) upon detecting said at least one suspicious portion of data, attempting 
to disassemble said suspicious data thereby attempting to produce 
disassembled executable code; and 

(c) wherein if said atte mpting to disassemble said suspicious data succeeds 
in producing disassembled execut jable code, then: for each instruction 
in said disassembled executable code[[,]]i 

([[c]]i) assigning respectively a threat weight for each said 

instruction{|;]Ii and 
({Id]]ii) accumulating said threat weight to produce an 

accumulated threat weight[f;]]^ 

wherein said threat weight for each said instruction is 
selectively either: 

([[ij] A)increased for a legal instruction, and 
(It^mS) decreased for an illegal instruction. 

17. (Currently Amended) A computer system comprising, 
(a) a processor ; 



(b) a program storage device readable by a machine, tangibly embodying a 
program of instructions executable by the machine to perform a 
method for detecting malicious code in a stream of data traffic in a data 
network, the method including the steps of : 

([[A]]i)monitoring by the system for at least one suspicious portion of 
data in a portion of the stream of data traffic that is expected to 
lack executable code; 

([[B]]iD npon detecting said at least one suspicious portion of 
data, attempting to disassemble said suspicious data thereby 
attempting to produce disassembled executable code; and 

(i) w herein if said attempting to disassemble said suspicious data 
succeeds in producing disassembled executa ble code, then: for 
each instruction in said disassembled executable codeI[,] ji 
(IICJJA) assigning respectively a threat weight for each 

said instruction[[;]]j, and 
([[D]]B) accumulating said threat weight to produce an 
accumulated threat weight[[;]]j, 

wherein said threat weight for each said instruction is 
selectively either: 

([[i]]I) increased for a legal instruction, and 

decreased for an illegal instruction, 

18. (Original) The method, according to claim 17, wherein said attempting 
to disassemble is initiated at a plurality of initial instructions, each of said initial 
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instructions with a different offset within said at least one suspicious portion of data, 
and said threat weight is acciraiulated respectively for each said offset, 

19. (Original) The method^ according to claim 17, wherein said attempting 
to disassemble is initiated at an initial instruction of an address of previously known 
offset relative to a vulnerable return address. 

20. (Currently Amended) An apparatus for detecting malicious code in a 
stream of data traffic input to a gateway to a data network, the apparatxis comprising: 

fa> a plurality of software modules, for detecting malicious code, 
including: 

([[a]]i) a filter apparatus which filters a portion of the stream of data 
traffic that is expected to lack executable code and thereby 
detects at least one suspicious portion of data in the stream of 
data traffic[[;]]A 

(|[b]]ii) a disassembler attempting to convert binary operation 

codes into assembly instructions of said at least one suspicious 
portion of data, thereby attempting to produce disassembled 
executable code|[;]]-, and 

([[c]]iii) an assembly instructions analyzer which determines 
whether said attempting to conve rt binary op eration codes i nto 
assembly instructions of said at least one suspicious portion of 
data succeeds in producing disassembled executable code, and 
then, if said attempting to convert binary operation codes into 
assembly instructions of said at least one su s picious portion of 
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data succeeds in producing disassembled executable code, for 
each of said instructions assigns respectively a threat weight, 
accumulates respectively said threat weight thereby produces 
an accumulated threat weigh t; and 
(b) a processor for executi n g said software modules . 

2L (Original) The apparatus, according to claim 20, wherein said 
attempting to convert is initiated at a plurality of initial instructions, each of said 
initial instructions with a different offset within said at least one suspicious portion of 
data, and said threat weight is accumulated respectively for each said offset. 

22. (Currently Amended) The apparatus, according to claim 20, wherein 
said software modules f urther comprising include : 

([[d]]iY) a vulnerable retum address detector which detects an initial 
instruction for said attempting to convert. 

23. (Previously Presented) The method of claim 8, wherein said attempting 
to disassemble is initiated at every offset within said at least one suspicious portion of 
data. 

24. (Previously Presented) The method of claim 12, wherein said 
attempting to disassemble is initiated at every offset within said at least one 
suspicious portion of data. 
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25. (Previously Presented) The method of claim 18, wherein said 
attempting to dis^semble is mitiated at every offset within said at least one 
suspicious portion of data. 

26. (Previously Presented) The method of claim 21, wherein said 
attempting to convert is initiated at every offset within said at least one suspicious 
portion of data. 
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